Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our
Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

Hi kcarlasc,-----------------------------------------------------------Retrieve the List of Installed programs Using HJTOpen HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder. In addition, the list opens in Notepad so you can also save as another name in another location if you wish. Please paste the contents into your next reply.

kcarlasc,Facebook is far too sloppy with their security to allow it to come up every time your browser starts. I would change start pages.-----------------------------------------------------------Remove Registry items with HighjackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)Click Do System Scan Only. When the Scan is complete, Check the following entries:(Some of these lines may be missing)R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix CheckedClick the "X" in the upper right corner of the HiJackThis window to close it.------------------------------------------Scan with ESET online scanner:

Open Internet Explorer by right-clicking the IE icon (on the Start menu or quick launch) and selecting Run as administrator

NOTE: Internet Explorer will temporarily have administrator privileges, this is required for the scan but dangerous for normal surfing so do NOT open any other websites in IE until after the scan has finished and this window has been closed.

Once the ActiveX has finished loading click Start to initialize and update the scanner

When the Computer scan screen appears, leave Remove found threatsUN-checked, but check the box next to Scan unwanted applications. Then click Scan to begin the scan.

Once complete and the summary page appears, press Start, copy/paste the following command into the search box and press Enter:

notepad "C:\Program Files\EsetOnlineScanner\log.txt"

The log file should now appear in Notepad, copy and paste the contents in your next response.

Please be sure to close this Internet Explorer window before continuing.

Another item worth mentioning: If you are running from a router, do you know for certain that the router administrator password was changed when it was installed?If there is a router, are there any other machines on that router, and are they getting redirects?

So we are looking for the ESET report log, and any answers you may have about the router.askey127

kcarlasc,OK. If you leave it as the default, bots can change the URLs in the router so all the connections go thru their servers on the way to your ISP.

Looks like you may have run this before, but I need to see what it says now.--------------------------------------------TDSSKiller - Rootkit Removal ToolPlease download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.Vista - W7 users: Right-click and select "Run As Administrator".If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).If you don't see file extensions, please see: How to change the file extension.

Click the Start Scan button. Do not use the computer during the scan!

If the scan completes with nothing found, click Close to exit.

If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.

Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.

If Cure is not offered as an option, choose Skip.

A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).

Copy and paste the contents of that file in your next reply.

If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.askey127

Otis,------------------------------------------------------Warning - Compromised DataBecause the TDL3 rootkit infection has had remote control access to all your Internet activities, you should assume that any data on it may have been stolen.Take whatever precautions you think sensible about any financial (credit cards, banking, etc.), or other critical information that has been passed through or stored on the machine.I would suggest changing all account names/numbers, and passwords for ANY accounts that have been used with the machine. That includes not only banking, credit cards, and financial, but also website and e-mail accounts as well.Don't use the infected machine to make the changes.---------------------------------------------Please download SystemLook from one of the links below and save it to your Desktop.Download Mirror #1Download Mirror #2

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt-----------------------------------------------------------Download and Run ComboFixIMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.You will need to disable all your antivirus software BEFORE running ComboFix..

Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it. **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**

DISABLE AVASTRight click on the avast! icon in system tray (looks like this: ) and choose (Stop On-Access Protection)Avast On-Access Protection is now disabled.

Now start ComboFix (zzz.exe). Right click and choose "Run as administrator".

OK any disclaimers and start the Scan.

Do not touch the computer AT ALL while ComboFix is running.

When finished, the report will open. Post the log in your next reply, and then Reenable your protection software

A copy of the log will be located here if you need it-> C:\ComboFix.txtIf you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

So we are Looking for the results from SystemLook.txt and the log from Combofix (zzz.exe)askey127

kcarlasc------------------------------------------------------Warning - Compromised DataBecause the infection (TDSS Rootkit) has had remote control access to all your Internet activities, you should assume that any data on it may have been stolen.Take whatever precautions you think sensible about any financial (credit cards, banking, etc.), or other critical information that has been passed through or stored on the machine.I would suggest changing all account names/numbers, and passwords for ANY accounts that have been used with the machine.That includes not only banking, credit cards, and financial, but also website and e-mail accounts as well.Don't use the infected machine to make the changes.------------------------------------------------Download and Run RkillPlease download and run the tool named Rkill, which may help in allowing other programs to run.There are 4 different versions. If one of them won't run then download and try to run one of the other ones.Vista and Win7 users need to right click Rkill and choose Run as AdministratorYou only need to get ONE of these to run, not all of them. You may get warnings from your antivirus about any of these tools, ignore them or shutdown your antivirus.Please download Rkill from one of the following links and save to your Desktop:Rkill.exeRKill.comRKill.scrRkill.pif

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If ir does not, delete the desktop entry. Then download and use the one provided in the next link.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.